If you discover a security issue, do not open a public issue. Report it privately to the maintainer.
Include:
- affected command/flow
- impact and reproduction steps
- suggested fix (if available)
Only the latest published version is supported for security fixes.
- Dependency surface minimized (only required runtime packages kept)
npm auditenforced inprepublishOnly- Publish artifact restricted via
filesallowlist - npm provenance enabled in
publishConfig
- Direct shell-string execution helper was removed from the codebase.
- Database operations use argument-based process spawning in adapters.
- No
shell: trueexecution mode is used.
- Pin Node.js to a supported LTS release
- Use lockfile installs (
npm ci) in CI - Run
npm run auditregularly - Rotate registry tokens and use 2FA for npm publish